Audit is a pretty scary word that gets thrown around a lot when people talk about HIPAA. The truth is that there is probably a low likelihood for individual practitioners to be randomly audited. Your energies might better be spent on doing HIPAA right, in the right way for you, than on doing it fast.
Business Associates (BA) are individuals or organizations that we entrust with our clients’ sensitive information, and that are not a part of our regular “workforce.” For example, these would include companies that handle your email or video conferencing and have access to clinical information. Most of these companies will provide you with a BA Agreement.
Covered Entities under HIPAA are individuals or organizations that submit electronic billing to insurance companies and, therefore, are required to comply with HIPAA. If you or your biller do not submit electronic billing to your insurance company you are not a covered entity and are not required to comply with HIPAA. However, the fact is that HIPAA is gradually becoming an essential part of the general professional standard of care.
De-identification is the process of making sure that some given set of information doesn’t contain anything that can be used to identify the person or people that it is about. De-identification is generally more relevant to researchers than for the individual psychotherapists.
EHR, EMR, and Encryption: HIPAA has so many associated “E” words! Electronic Health Records, Electronic Medical Records and Encryption all go hand-in-hand. You wouldn’t leave files in your file cabinet without a lock, so also don’t leave any records on your laptop, smartphone, or tablet without encrypting.
Fax is, somehow, still used. Most faxing nowadays is done through electronic fax services. Even though faxing the old-fashioned way (with a landline) was given certain types of leeway under HIPAA, modern electronic fax gets no special leeway under HIPAA.
Group practices need to consider how they approach HIPAA compliance responsibilities. Are they all one HIPAA entity, is each one (group) a covered entity, or is each individual member a HIPAA entity?
HIPAA Investigations or random audits of individual practitioners is low. Audits or investigations of individual practitioners usually take place in response to complaints against a clinician or when a security breach occurs and the clinician needs to report it.
Information about health care services or “protected health information,” (PHI) includes clinical notes, e-mails and other the kinds of information that can identify the client. HIPAA emphasizes that PHI health information be highly protected.
Judgment: When considering your responsibilities under HIPAA, it should be based on managing risks and on making sure you’re working within the standards of HIPAA. It should not be based on fear. Many of the HIPAA standards are actually quite flexible, and most security best practices are achievable for solo psychotherapists.
Kryptonite is a type of fictional alien stone that can take down Superman, and fear is a real and natural feeling that can take down your HIPAA compliance. While an adaptive amount of anxiety or fear can be helpful to getting any project done, high fear is likely to stop your compliance in its tracks. HIPAA compliance is doable. (See our HIPAA Online Courses Package).
Laws In Your State vs. HIPAA is related to the term “preemption.” HIPAA and state laws can both preempt each other depending on certain conditions such as when the state law provides stricter privacy protection or greater privacy rights than HIPAA.
Mitigating security problems is the main focus of HIPAA’s Security Rule. That rule requires covered entities to engage in certain risk management tasks in order to keep electronic protected health information confidential, keep it safe from damage or unwanted changes, and prevent it from being lost.
Notice of Privacy Practices, often called “the HIPAA form,” helps clients know what to expect from you in terms of how you will (and won’t) uphold their privacy. For example, this form informs clients that they can ask to see their records, request to change or amend their records, and advises how to file a complaint with OCR.
Online services, aka “cloud” services, may actually make HIPAA compliance and good security for your clients easier than trying to keep information on your own gear. If you have electronic information about your clients (records, emails, texts, etc.) then entrusting it to a well-reputed and solid cloud service that is aware of your needs under HIPAA might actually be safer than trying to protect it yourself.
Person-Centered Tech is an important resource for all therapists who need help and guidance in managing their therapy tech and with understanding HIPAA and digital ethics. The site contains a huge number of free resources, so use it liberally.
Quitting HIPAA is something quite a few clinicians have decided to do. An attorney should be consulted to be sure of how to manage it correctly, as the process is not made particularly clear in the law. Clinicians who do quit their covered entity status, however, need to be aware of state laws, standard of care around client privacy and security, and professional ethics.
Risk Management is the decision-making lens that HIPAA’s Security Rule requires us to use when making security decisions for our practices. Risk management is not a process of eliminating risks. It is a process of assessing risks and making clear-headed reasonable decisions about how best to mitigate them based on the resources available to you and the overall level of danger posed by each risk.
Security breaches refer to incidents where the safety of information you need to keep protected gets somehow interrupted. Examples can be a stolen laptop with records on it or your email account getting “hacked.” If you’ve confirmed that the confidentiality of any clients has been breached, you would need to report the breach to the OCR (“the HIPAA people”) and to the affected clients. This is one reason why encryption is so important. Encrypting your information can, in certain circumstances, prevent the need to report security incidents.
Training for anyone who works for you, and for yourself, is a necessary part of HIPAA compliance. Anyone who works for you needs to be trained to the extent necessary to make sure they can uphold your policies and procedures that keep you HIPAA compliant.
Unencrypted laptops, smartphones, and tablets are highly vulnerable to security breaches. Mobile devices are valuable and are easy to run off with. If you keep PHI on any such devices, you might be surprised at just how easy it is to encrypt them. Full-device encryption can even prevent the need to report security breaches to clients and the OCR!
Vicissitudes in our technological environment are a big part of why HIPAA seems to change all the time. HIPAA isn’t actually changing, but rather it is the technological environment that constantly evolves. For example, we now keep an enormous amount of our information “on the cloud.” That means it is being kept on various companies’ computers around the Internet. We used to keep almost all of it on our personal devices and it didn’t go anywhere else. Encryption is also far easier to come by than it used to be, so it’s much harder these days to justify leaving our information unencrypted.
Web Sites aren’t just great for practice marketing. They can also be a useful resource for your HIPAA compliance. If you have a website, HIPAA requires that your notice of privacy practices be posted on it.
Xanadu is a movie (and stage musical!) full of love, life, and magic. But it flopped hard at the box office. Luckily, complying with HIPAA is a process rather than a goal. So flopping isn’t likely to happen to you like it did to Xanadu.
Yes you can manage the HIPAA compliance process in a way that works best for your practice. While you do need to address HIPAA’s standards, they’re written to flex to a variety of situations.
Zur Institute is one of the most prolific educational institutions for psychotherapists, counselors and mental health professionals. Along with 170 high quality Online CE Courses, the Institute offers a large library of free articles and resources.